Issue 4860: js_output wrong for cookies with " characters (original) (raw)

Created on 2009-01-06 21:44 by noufal, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
cookie.patch noufal,2009-01-06 21:44 Patch to fix js_output for cookies with an unquoted " character
cookie-2.patch vstinner,2009-01-07 09:37
issue4860.diff orsenthil,2009-04-01 23:33
Messages (8)
msg79292 - (view) Author: Noufal (noufal) Date: 2009-01-06 21:44
If a cookie is created with a " character in the content, the js_output which is emitted is bad javascript. eg. >>> import Cookie >>> c=Cookie.Cookie('Customer="WILE_E_COYOTE"; Version=1; Path=/acme') >>> print c Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme; Version=1 >>> print c.js_output() >>> Also, the test_cookie tests (test_load) explicitly checks for this (wrong) output. I have attached a patch that seems to fix this or at the very least produces the same Cookie settings whether the cookie is set using the header or using javascript (I've verified this on firefox on Linux).
msg79312 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2009-01-07 09:37
The patch looks correct but it breaks the unit test: updated patch fixes Lib/test/test_cookie.py.
msg79336 - (view) Author: Noufal (noufal) Date: 2009-01-07 15:18
A lot of the cookie tests need to be updated. A separate bug was filed regarding this. http://bugs.python.org/issue3788. I'm working on that now and will apply your patch there as well.
msg79339 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2009-01-07 15:25
The characters <>& should also be escaped.
msg79909 - (view) Author: Noufal (noufal) Date: 2009-01-15 18:12
What's wrong with < and >? I can see the issues with ; though.
msg79915 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2009-01-15 19:53
> What's wrong with < and >? >>> c=Cookie.Cookie('Customer="";'); print c.js_output() ""; // end hiding --> It allows HTML/Javascript injection. Well, Python 2.5 already displays a warning: /usr/lib/python2.5/Cookie.py:710: DeprecationWarning: Cookie/SmartCookie class is insecure; do not use it The right fix is maybe to remove deprecated and unsecure function!
msg85121 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2009-04-01 23:33
Cookie.Cookie is deprecated in Py2k. In Py3k, it is http.cookies.SimpleCookie. The bug was present in Py3k, the attached patch fixes it.
msg85149 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2009-04-02 03:04
Because SimpleCookie class is still usable (that is not deprecated), it makes sense to back port to Py2.7. Applied the patches in revision 71030 and r71029. Thanks.
History
Date User Action Args
2022-04-11 14:56:43 admin set github: 49110
2009-04-02 03:04:54 orsenthil set status: open -> closedmessages: + versions: + Python 3.1
2009-04-01 23:33:13 orsenthil set files: + issue4860.diffnosy: + orsenthilmessages: + assignee: orsenthilresolution: accepted
2009-01-15 19:53:55 vstinner set messages: +
2009-01-15 18:12:29 noufal set messages: +
2009-01-07 15:25:14 vstinner set messages: +
2009-01-07 15🔞14 noufal set messages: +
2009-01-07 09:37:19 vstinner set files: + cookie-2.patchnosy: + vstinnermessages: +
2009-01-06 21:44:10 noufal create